Trust
@trust__90
Followers
23K
Following
1K
Media
110
Statuses
790
Head of Trust Security, DM for booking | Master of hand-to-hand audit combat | C4/Immunefi/Sherlock VIP | Hacked Embedded, IoT, iOS in past life
Joined June 2012
Check out our GOAT lineup at Trust Security's new roster page! https://t.co/VlwFrq2UAK Magical things happen when you bring the provably best auditors on the planet to collaborate rather than compete. Book your/our success story today.
29
44
236
It's been a pleasure for TrustSec to be Story Protocol's Strategic Security Partner for the past year and a half! The team doesn't mess around or compromise when it comes to security. To bounty hunters - you find a critical, you will be paid in full.
Security is a core part of Story’s DNA. It's a constant, deliberate practice that protects everything from our network to the community members and ecosystems that depend on it. A closer look ↴
3
1
23
This is what happens when corporate interests and politics get in the way of an objective, just and immutable process. The validity of the reports in question is entirely irrelevant. They may or may not be a valid mediums. Guess what - courts get decisions wrong all the time, is
@0xriptide @code4rena Riptide: You submitted two vibed findings that were downgraded because of their limited nature. They cause minor performance impact in off-chain consumers when compiled in nonstandard configurations. Setting aside who-decides-what, these findings don't merit Medium severity.
3
2
104
In trying to doxx me for his 15 minutes of fame, Jack only showed how out of touch he is with this industry. CT is a place where people should be judged on merit and contributions—not their origin and personal details. Weaponizing doxxing as an uno-reverse card says more about
5
1
146
In trying to doxx me for his 15 minutes of fame, Jack only showed how out of touch he is with this industry. CT is a place where people should be judged on merit and contributions—not their origin and personal details. Weaponizing doxxing as an uno-reverse card says more about
5
1
146
Sherlock: "We made the decision not to (reveal info) in order to protect the protocol's identity as much as possible." Meanwhile copy paste into ChatGPT instantly gives you protocol's identity... I swear this kind of shitshow only happens in CT. Damn, it's good to be back.
@jack__sanford @trust__90 @StrobeFinance @0xKaden jack said I used too much SR skill to find out what protocol it is so I deleted my earlier post. instead I asked chatgpt and it told me it's @StrobeFinance
4
0
83
Sherlock has the most rigid and well-defined criteria for bounty submissions out of all platforms. But it seems when their AI finds a live issue, it's legit to throw all the definitions out the window for a marketing stunt. What they call "reserve drain" is stealing 1 wei
Sherlock AI discovered a Critical vulnerability affecting $2,400,000 in a live lending protocol. This is the first known instance of an AI uncovering a multi-million-dollar bug on mainnet. Here's how Sherlock AI surfaced the vulnerability:
8
12
259
Exploit Bounty Opens We will allow the attacker a 12h grace period starting now to contact us, after which a bug bounty will be opened rewarding 10% of funds returned if the intel leads to a recovery. We already have several leads regarding the IP addresses and on-chain
14
23
114
Why Low-Severity Findings Say More About Your Audit Than Critical Bugs Many audit firms focus their sales pitch on number of Highs found as if this number isn't just noise without plugging in context: prior audits, peer review, test coverage levels, code complexity, line count
5
7
109
A critical in git released yesterday that can be triggered by git clone of untrusted repo. That's the dream vector to pwn auditors and steal their bounties / audit money. Patch your systems before quoting any new clients! And expect visitors in your inbox in coming weeks...
9
27
141
Turns out you can can score 5-fig bounties in contests without actually discovering any issues, just a semi-functional brain needed. In the March 2024 OP Fault Proofs contest, devs fixed a critical issue a day before it started but didn't merge it in. 🔗 https://t.co/cmO1hnpxdE
4
3
104
Ok Zigtur, next time a high EV opportunity presents itself which fits my specializations, I will turn it down, or maybe stop half way when realizing it's too easy, because a rando on the internet does not approve of it.
@agfviggiano @trust__90 For sure he is a beast. That is not even a question here. But I don't really understand why he spent so much time on a project that didn't even look at OP specs.
1
2
83
Decided to give Cantina a try last October, 8 months later results are finally out... Tens of solo findings in 1st Java audit and outperforming top Cantina leaderboard bros by 3-7x feels pretty good, not gonna lie. It's a shame the post-audit experience was so terrible I vowed
20
10
272
Imagine a world where saying researchers should not be abused is a controversial take.. That's what happens when a firm with unlimited cash shows up and buys its way into market dominance. Dumping on researchers with extractive policies simply becomes the new Nash equilibrium
Hot takes that I think shouldn’t be hot, and should be “the default” 1. The contest platform is ultimately responsible for the payout. It is the contest platform that promises payout, so if a platform doesn’t pay out, no matter the drama, it is the platform’s fault. 2. The
2
5
87
@cantinaxyz @jack__sanford The number of likes from Fellowship residents is astounding. Don't worry, your secret despising of said platform is safe with us. It's a shame that the market domination tactics have forced skilled researchers into losing so much of their bargaining power.
1
0
53
Every day that goes by it becomes increasingly clear to us that @cantinaxyz is an extractive entity and a net negative to the space. A week past @jack__sanford 's killer piece on the countless deficiencies of the Cork contest and no hint of a response soon. With the amount of
13
10
293
- Keep state-changing LoC under 500 - use ++counter pattern for mapping keys - don't support native tokens - keep state machine in open view via state enums - 1:1 test/LoC ratio - format every line of code with a ruler See, winning the game ain't that hard
7
6
80
Everything we've been told about "Code is Law" defense not standing a chance in court has been a lie. Mango Markets / Avi Eisenberg charges just been dropped by a federal charge. The same logic used to dismiss the case can be used for pretty much any permissionless DeFi
14
15
139
As a veteran of the audit contest industry, I will tell you how deals like these are made. > Be protocol with money and do 3+ collaborative audits > Know that the codebase probably doesn't have significant bugs > Want to signal to the community, investors and other stakeholders
The @PumpDotFun $2,010,000 competition results are in. 🪐 Your top-ranked researchers: 🥇 @juaan & @0xSpearmint (team): $2,762.43 🥈 @KoolexC: $1,745.85 🥉 @_0xarno_, @0xhuy0512, lukaprini, @shaflow01, @zigtur: $1,000.00 each Thank you to everyone who participated. Full
14
9
192